This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hugo_vd_Kooij
Advisor
‎2018-08-20 08:17 AM

LEA field names for email

Hi,

I am currently trying to wrap the syslog output of a Barracuda Email Security gateway into the Check Point.

While I have seen the LEA fields document of 2011 it seem to me I am missing rather a lot as far as email is concerned. But I might just be missing them.

It seems the "from" field works sometimes but not all lines are parsed correctly. The recipient is not yet seen.

I have the following data for which I am seeking the proper Check Point field name:

  1. Sender email address ("from" seems to work)
  2. Recipient email adress ("to" doesnt seem to work)
  3. Action (can I use anything beyond: "accept" | "drop" | "reject")
  4. Malware name if found (like: SFP.Malware.27291.RtfHeur)
  5. Description
  6. Spam score (signed float)
  7. Preferred Product Name for anti-spam.

Then I can's seem to find how I can wrap multiple fields into 1 other field.

Another issue is that I might have an issue with too greedy wildcards. The Eventia Log Parser Editor does not seem to understand .*? as valid.

 

 I can share a few more details in a private message but I prefer not to send all information to the list as the samples contain live data.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Labels
2 Replies
PhoneBoy
Admin
Admin
‎2018-08-20 07:07 PM

Here’s a more current version of the LEA fields doc…

LEA Fields

0 Kudos
Hugo_vd_Kooij
Advisor
‎2018-08-24 06:30 AM

It seems I can get some details into the Check point logs and databases but it looks like it is still more or less interpretated as firewall logging. Even when I have the sending log entry I translanted a succesful send response code to the action field with the value of send. but it is instead listed as Drop in the logs.

And it seems it fails to parse some events in real life which were understood just fine in the Eventia Log Parsing Editor.

Which seems to indicate there is still a gap between documentation and what seems to happen. It seems I must do some hacking.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top